The Hacker News — Cyber Security, Hacking, Technology News

Unlike specially crafted malware specifically developed to take advantage of Windows operating system platform, cyber attackers have started creating cross-platform malware for wider exploitation.

Due to the rise in popularity of Mac OS X and other Windows desktop alternatives, hackers have begun designing cross-platform malware modularly for wide distribution.

Cross-platform malware is loaded with specialized payloads and components, allowing it to run on multiple platforms.

One such malware family has recently been discovered by researchers at Kaspersky Lab, which run on all the key operating systems, including Windows, Linux, and Mac OS X.

Stefan Ortloff, a researcher from Kaspersky Lab’s Global Research and Analysis Team, first discovered the Linux and Windows variants of this family of cross-platform backdoor, dubbed Mokes, in January this year.

Now, the researcher today confirmed the existence of an OS X variant of this malware family, explaining a technical breakdown of the backdoor in a post on Securelist.

Alike the Linux and Windows variants, the OS X backdoor variant, Backdoor.OSX.Mokes.a, specializes in capturing audio-video, obtaining keystrokes as well as taking screenshots every 30 seconds from a victim’s machine.

The variant is written in C++ using Qt, a cross-platform application framework that is widely being used for developing applications to run on various software and hardware platforms.

The backdoor also has the capability to monitor removable storage like when a USB drive is connected to or removed from the computer.

It can also scan the file system for Office documents, including .docx, .doc, .xlsx, and .xls files.

The OS X backdoor can also execute arbitrary commands on the victim’s computer from its command and control (C&C) server.

The backdoor establishes an encrypted connection with its command and control server and communicates using AES-256 encryption, which is considered to be a secure encryption algorithm.

Ortloff notes, right after execution, the OS X sample he analyzed copies itself to a handful of locations, including caches that belong to Skype, Dropbox, Google, and Firefox. This behavior is similar to the Linux variant that copied itself to locations belonging to Dropbox and Firefox after execution.

The researcher has not attributed the Mokes backdoor family to any hacking group, state-sponsored hacker or country, nor he detailed about the OS X backdoor’s infection vector and how widespread it is.

However, based on the currently available information, the backdoor seems to be a sophisticated piece of malware.

A Security researcher has discovered a unique attack method that can be used to steal credentials from a locked computer (but, logged-in) and works on both Windows as well as Mac OS X systems.

In his blog post published today, security expert Rob Fuller demonstrated and explained how to exploit a USB SoC-based device to turn it into a credential-sniffer that works even on a locked computer or laptop.

Fuller modified the firmware code of USB dongle in such a way that when it is plugged into an Ethernet adapter, the plug-and-play USB device installs and acts itself as the network gateway, DNS server, and Web Proxy Auto-discovery Protocol (WPAD) server for the victim's machine.

The attack is possible because most PCs automatically install Plug-and-Play USB devices, meaning "even if a system is locked out, the device [dongle] still gets installed," Fuller explains in his blog post.

"Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list."

How does the Attack Work?

That is because of the default behavior of Microsoft Window’s name resolution services, which can be abused to steal authentication credentials.

The modified plug-and-play USB Ethernet adapter includes a piece of software, i.e. Responder, which spoofs the network to intercept hashed credentials and then stored them in an SQLite database.

The hashed credentials collected by the network exploitation tool can later be easily brute-forced to get clear text passwords.

Apparently, to conduct this attack, attackers would require physical access to a target computer, so that they can plug in the evil USB Ethernet adapter. However, Fuller says the average time required for a successful attack is just 13 seconds.

You can watch the video demonstration below that shows Fuller's attack in action.

Own an Android smartphone? Beware, as just an innocuous-looking image on social media or messaging app could compromise your smartphone.

Along with the dangerous Quadrooter vulnerabilities that affected 900 Million devices and other previously disclosed issues, Google has patched a previously-unknown critical bug that could let attackers deliver their hack hidden inside an innocent looking image via social media or chat apps.

In fact, there is no need for a victim to click on the malicious photo because as soon as the image’s data was parsed by the phone, it would quietly allow a remote attacker to take control over the device or simply crash it.

The vulnerability is similar to last year's Stagefright bug (exploit code) that allowed hackers to hijack Android devices with just a simple text message without the owners being aware of it.

The Stagefright flaw affected more than 950 Million Android devices and resided in the core Android component Stagefright — a multimedia playback library used by Android to process, record and play multimedia files.

However, the recent vulnerability (CVE-2016-3862) resided in the way images used by certain Android applications parsed the Exif data in an image, SentinelOne's Tim Strazzere, the researcher who uncovered the vulnerability, told Forbes.

Any app using Android's Java object ExifInterface code is likely vulnerable to the issue.

An Image Received...? Your Game is Over

Making a victim open the image file within an affected app like Gchat or Gmail, a hacker could either cause a victim's phone to crash or remotely execute malicious code to inject malware on the phone and take control of it without victim’s knowledge.

"Since the bug is triggered without much user interaction – an application only needs to load an image a specific way – triggering the bug is as simple as receiving a message or email from someone," Strazzere said. "Once that application attempts to parse the image (which was done automatically), the crash is triggered."

According to Strazzere, attackers could develop a simple exploit inside an image to target a large number of vulnerable Android devices.

Strazzere crafted exploits for the affected devices and found that it worked on Gchat, Gmail and most other messenger and social media apps, though he did not disclose the names of the other non-Google apps affected by the flaw.

When will I expect a Fix?

All versions of Google's operating system from Android 4.4.4 to 6.0.1 are vulnerable to the image-based hack, except today's update that fixed the vulnerability.

The researcher even successfully tested his exploits on a handful of phones running Android 4.2 and Amazon devices and found that the devices remain unpatched, leaving a large number of users of older Android devices exposed.

So, if you are not running an updated version of operating system and/or device, you probably are vulnerable to the image-based attack.

Google has delivered a patch to fix the issue, but given the shaky history of handset manufacturers and carriers rolling out security patches, it is not known how long the companies will take to update vulnerable Android devices.

Google rewarded Strazzere with $4,000 as part of the company’s Android bug bounty program and another $4,000 as, Forbes reports; Strazzere had pledged to give all his reward money to Girls Garage, a program and workspace for girls aged 9-13.

Another data breach from 2012, and this time, it's Russia's biggest internet portal and email provider Rambler.ru.

Rambler.ru, also known as Russia's Yahoo, suffered a massive data breach in 2012 in which an unknown hacker or a group of hackers managed to steal nearly 100 Million user accounts, including their unencrypted plaintext passwords.

The copy of the hacked database obtained by the breach notification website LeakedSource contained details of 98,167,935 Rambler.ru users that were originally stolen on 17 February 2012, but went unreported.

The leaked user records in the database included usernames, email addresses, ICQ numbers (IM chat service), social account details, passwords and some internal data, the data breach indexing site said in a blog post.

The data breach was reported by the same hacker using the daykalif@xmpp.jp Jabber ID who handed LeakedSource over 43.5 Million user records from another 2012 hack suffered by the Last.fm music streaming service.

According to LeakedSource, none of the passwords were hashed, meaning the company stored its user's password in an unencrypted plain text format that could allow the company as well as hackers to see passwords easily.

This is something similar to the VK.com breach, in which 171 Million users’ accounts were taken from the Russian social networking site, where passwords were also stored in plaintext format, without any hashing or salting.

Again, as expected, the most common passwords used by Rambler.ru users, includes "asdasd," "123456," "000000," "654321," "123321," or "123123."

LeakedSource has added the data into its database; so Rambler.ru users can check if they have been compromised by searching their account at Leaked Source’s search engine.

Rambler.ru is the latest victim to join the list of "Mega-Breaches" revealed in recent months, when hundreds of Millions of online credentials from years-old data breaches on popular services, including LinkedIn, MySpace, VK.com, Tumblr, and Dropbox, were exposed online.

Rambler has yet to respond to the incident.

The Bottom Line:

Users are advised to change their passwords for Rambler.ru account as well as other online accounts immediately, especially those using the same passwords.

Moreover, I always encourage users to make use of password managers that create strong and complex passwords for different websites as well as remember them on your behalf.

I have listed some of the best password managers that could help you understand the importance of password manager as well as choose one according to your requirement.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

Air-gapped computers that are isolated from the Internet or other networks and believed to be the most secure computers on the planet have become a regular target in recent years.

A team of researchers from Ben-Gurion University in Israel has discovered a way to extract sensitive information from air-gapped computers – this time using radio frequency transmissions from USB connectors without any need of specialized hardware mounted on the USB.

Dubbed USBee, the attack is a significant improvement over the NSA-made USB exfiltrator called CottonMouth that was mentioned in a document leaked by former NSA employee Edward Snowden.

Unlike CottonMouth, USBee doesn't require an attacker to smuggle a modified USB device into the facility housing the air-gapped computer being targeted; rather the technique turns USB devices already inside the facility into an RF transmitter with no hardware modification
required.

Moreover, USBee does not involve any implant in USB firmware and drivers to execute the attack.

"We introduce a software-only method for short-range data exfiltration using electromagnetic emissions from a USB dongle," researchers wrote in a research paper published Monday. "Unlike other methods, our method doesn't require any [RF] transmitting hardware since it uses the USB's internal data bus."

The researchers stress the attack method of USBee is solely based on software, though it has to met certain conditions to execute. They are:

The protected computer must be infected with the malware, most probably, with the help of an insider.

Any USB device must be plugged into that infected air-gapped computer.

The attacker has to be near the compromised device, usually at maximum 3-5 meters.

USBee turns the targeted computer's USB ports into mini Radio Frequency (RF) transmitters by modulating the data fed at high-speed to plugged-in devices.

USBee will then send a string of '0' bits to a USB port in such a way that makes the device generate detectable emissions between 240MHz and 480MHz frequencies, according to Mordechai Guri, one of the researchers.

Now, by writing sequences of '0' and '1', attackers can generate a carrier wave from the rapid voltage changes and then use binary frequency shift keying (B-FSK) to encode useful data.

Since the attack is meant to steal binary data, attackers wouldn’t be able to steal any large files, but could get their hands on keys, passwords, and other small bits of sensitive data stored on the targeted computer.